[go: up one dir, main page]

TWI601063B - Computer system and data processing method using random number generator - Google Patents

Computer system and data processing method using random number generator Download PDF

Info

Publication number
TWI601063B
TWI601063B TW101134236A TW101134236A TWI601063B TW I601063 B TWI601063 B TW I601063B TW 101134236 A TW101134236 A TW 101134236A TW 101134236 A TW101134236 A TW 101134236A TW I601063 B TWI601063 B TW I601063B
Authority
TW
Taiwan
Prior art keywords
random number
number generator
processor
computer system
generator
Prior art date
Application number
TW101134236A
Other languages
Chinese (zh)
Other versions
TW201413580A (en
Inventor
郭谷彰
徐雲婷
馬崇文
曾維姿
Original Assignee
聯想企業解決方案(新加坡)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 聯想企業解決方案(新加坡)有限公司 filed Critical 聯想企業解決方案(新加坡)有限公司
Priority to TW101134236A priority Critical patent/TWI601063B/en
Priority to US14/017,928 priority patent/US9081635B2/en
Publication of TW201413580A publication Critical patent/TW201413580A/en
Application granted granted Critical
Publication of TWI601063B publication Critical patent/TWI601063B/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • General Engineering & Computer Science (AREA)
  • Computational Mathematics (AREA)
  • Storage Device Security (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)

Description

使用亂數產生器的電腦系統與資料處理方法 Computer system and data processing method using random number generator

本發明係關於一種使用亂數產生器的電腦系統與資料處理方法。 The present invention relates to a computer system and data processing method using a random number generator.

許多使用者應用程式中的安全性作業,例如加密(cryptographic)程序或是身份識別(identification),都需要使用到亂數。習知產生亂數的作法可使用作業系統中的亂數產生器(PRNG),著名的範例為Linux®系統的亂數產生器(LRNG),更多的細節可參考論文:Zvi Gutterman,Benny Pinkas,and Tzachy Reinman.2006.Analysis of the Linux Random Number Generator.In Proceedings of the 2006 IEEE Symposium on Security and Privacy(SP'06)。 Security operations in many user applications, such as cryptographic programs or identities, require the use of random numbers. The conventional method of generating random numbers can use the random number generator (PRNG) in the operating system. The famous example is the Linux ® system random number generator (LRNG). For more details, please refer to the paper: Zvi Gutterman, Benny Pinkas And Tzachy Reinman. 2006. Analysis of the Linux Random Number Generator. In Proceedings of the 2006 IEEE Symposium on Security and Privacy (SP '06).

更多習知為了應用程式而由作業系統產生亂數的作法,可參考美國專利申請公開號US Pub.2010/00023749或是US Pub.2011/0047545,在此以引用的方式併入本文。 For more information on the use of the operating system to generate random numbers for the application, reference is made to U.S. Patent Application Publication No. US Pub. 2010/00023,749, the entire disclosure of which is incorporated herein by reference.

本發明其中一方面在於提出一種新的使用亂數產生器的電腦系統與資料處理方法。特別地,本發明著眼係習知中作業系統基於軟體(software-based)的亂數產生器的亂度(entrophy)不夠的缺失,特別是對於許多嵌入式系統,由於其運作上缺少不可預期的外界因素(例如使用者的資料存取)作為亂度來源(entrophy source),此問題更加明顯。 One aspect of the present invention is to propose a new computer system and data processing method using a random number generator. In particular, the present invention focuses on the lack of sufficient (entrophy) of the software-based random number generator in the operating system, especially for many embedded systems, due to the lack of unpredictable operation. This problem is more pronounced as external factors (such as user access to data) as an entrophy source.

此外,許多常見的作業系統,例如Linux®系統,其程式碼或運作架構係公開給大眾,因此若採用作業系統基於軟體的亂數產生器,由於其亂數產生機制可被知悉,駭客將具有較高的機會成功地推估出作業系統的亂數產生器所能產出的亂數,因而造成安全上的漏洞。 In addition, many common operating systems, such as Linux ® system, its operation code or architecture department open to the public, so if using operating system-based random number generator software, because of its random number generation mechanism may be aware, the hackers There is a high chance of successfully estimating the random number that the chaotic number generator of the operating system can produce, thus creating a security loophole.

對此,本發明另一方面即在於在作業系統亂數產生器之外,從另外的亂數產生器接收亂數,以提供使用者應用程式中的安全性作業所需。 In this regard, another aspect of the present invention is to receive random numbers from another random number generator in addition to the operating system random number generator to provide security operations in the user application.

根據本發明一實施例,電腦系統包含:●一作業系統;●一處理器,該處理器在該作業系統下執行一使用者應用程式,且該處理器與一第一亂數產生器連結;●其中因應該使用者應用程式中之安全性作業之亂數需求,該處理器從該第一亂數產生器接收亂數,並提供該第一亂數產生器所產生的亂數給該使用者應用程式以進行安全性作業●其中該第一亂數產生器不是該作業系統的亂數產生器。 According to an embodiment of the present invention, a computer system includes: an operating system, a processor that executes a user application under the operating system, and the processor is coupled to a first random number generator; The processor receives the random number from the first random number generator and provides the random number generated by the first random number generator for the use according to the random number requirement of the security operation in the user application. Application for security operations ● wherein the first random number generator is not a random number generator of the operating system.

根據本發明另一實施例,資料處理方法係用於一電腦系統,該電腦系統包含一作業系統與一處理器,該處理器與一第一亂數產生器連結,該方法包含:●該處理器從該第一亂數產生器接收亂數,其中該第一亂數產生器不是該作業系統的亂數產生器;以及 ●該處理器提供所接收的亂數給一使用者應用程式以進行安全性作業。 According to another embodiment of the present invention, a data processing method is used in a computer system, the computer system comprising an operating system and a processor, the processor being coupled to a first random number generator, the method comprising: Receiving a random number from the first random number generator, wherein the first random number generator is not a random number generator of the operating system; The processor provides the received random number to a user application for security work.

根據本發明另一實施例,資料處理方法係用於一電腦系統,該電腦系統包含一作業系統與一處理器,該處理器與一第一亂數產生器以及一第二亂數產生器連結,該方法包含:●該處理器選擇性地從該第一亂數產生器或從該第二亂數產生器接收亂數,其中至少該第一亂數產生器不是該作業系統的亂數產生器;●處理器係根據該參數之值選擇從該第一亂數產生器或從該第二亂數產生器接收亂數 According to another embodiment of the present invention, a data processing method is used in a computer system, the computer system including an operating system and a processor coupled to a first random number generator and a second random number generator The method includes: - the processor selectively receiving a random number from the first random number generator or from the second random number generator, wherein at least the first random number generator is not a random number generation of the operating system The processor selects to receive random numbers from the first random number generator or from the second random number generator according to the value of the parameter.

本說明書中所提及的特色、優點、或類似表達方式並不表示,可以本發明實現的所有特色及優點應在本發明之任何單一的具體實施例內。而是應明白,有關特色及優點的表達方式是指結合具體實施例所述的特定特色、優點、或特性係包含在本發明的至少一具體實施例內。因此,本說明書中對於特色及優點、及類似表達方式的論述與相同具體實施例有關,但亦非必要。 The features, advantages, and similar expressions of the present invention are not to be construed as being limited by the scope of the invention. Rather, the specific features, advantages, or characteristics described in connection with the specific embodiments are included in at least one embodiment of the invention. Therefore, the description of features and advantages, and similar expressions in this specification are related to the same specific embodiments, but are not essential.

參考以下說明及隨附申請專利範圍或利用如下文所提之本發明的實施方式,即可更加明瞭本發明的這些特色及優點。 These features and advantages of the present invention will become more apparent from the description of the appended claims appended claims.

本說明書中「一實施例」或類似表達方式的引用是指結合該具體實施例所述的特定特色、結構、或特性係包括在本 發明的至少一具體實施例中。因此,在本說明書中,「在一具體實施例中」及類似表達方式之用語的出現未必指相同的具體實施例。 The reference to "an embodiment" or a similar expression in this specification means that the specific features, structures, or characteristics described in connection with the specific embodiment are included in the present specification. In at least one embodiment of the invention. Therefore, the appearances of the phrase "in a particular embodiment"

熟此技藝者當知,本發明可實施為電腦系統、方法或作為電腦程式產品之電腦可讀媒體。因此,本發明可以實施為各種形式,例如完全的硬體實施例、完全的軟體實施例(包含韌體、常駐軟體、微程式碼等),或者亦可實施為軟體與硬體的實施形式,在以下會被稱為「電路」、「模組」或「系統」。此外,本發明亦可以任何有形的媒體形式實施為電腦程式產品,其具有電腦可使用程式碼儲存於其上。 It will be apparent to those skilled in the art that the present invention can be implemented as a computer system, method, or computer readable medium as a computer program product. Therefore, the present invention can be implemented in various forms, such as a complete hardware embodiment, a complete software embodiment (including firmware, resident software, microcode, etc.), or can also be implemented as a software and hardware implementation. In the following, it will be referred to as "circuit", "module" or "system". In addition, the present invention can also be implemented as a computer program product in any tangible media form, with computer usable code stored thereon.

一個或更多個電腦可使用或可讀取媒體的組合都可以利用。舉例來說,電腦可使用或可讀取媒體可以是(但並不限於)電子的、磁的、光學的、電磁的、紅外線的或半導體的系統、裝置、設備或傳播媒體。更具體的電腦可讀取媒體實施例可以包括下列所示(非限定的例示):由一個或多個連接線所組成的電氣連接、可攜式的電腦磁片、硬碟機、隨機存取記憶體(RAM)、唯讀記憶體(ROM)、可抹除程式化唯讀記憶體(EPROM或快閃記憶體)、光纖、可攜式光碟片(CD-ROM)、光學儲存裝置、傳輸媒體(例如網際網路(Internet)或內部網路(intranet)之基礎連接)、或磁儲存裝置。需注意的是,電腦可使用或可讀取媒體更可以為紙張或任何可用於將程式列印於其上而使得該程式可以再度被電子化之適當媒體,例如藉由光學掃描該紙張或其他媒體,然後再編譯、解譯或其他合適的必要處理方式,然後可再度被儲存於電腦記憶體中。在本 文中,電腦可使用或可讀取媒體可以是任何用於保持、儲存、傳送、傳播或傳輸程式碼的媒體,以供與其相連接的指令執行系統、裝置或設備來處理。電腦可使用媒體可包括其中儲存有電腦可使用程式碼的傳播資料訊號,不論是以基頻(baseband)或是部分載波的型態。電腦可使用程式碼之傳輸可以使用任何適體的媒體,包括(但並不限於)無線、有線、光纖纜線、射頻(RF)等。 A combination of one or more computer usable or readable media can be utilized. For example, a computer usable or readable medium can be, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or communication medium. More specific computer readable media embodiments may include the following (non-limiting illustrations): electrical connections consisting of one or more connecting lines, portable computer magnetic disk, hard disk drive, random access Memory (RAM), read-only memory (ROM), erasable stylized read-only memory (EPROM or flash memory), optical fiber, portable optical disc (CD-ROM), optical storage device, transmission Media (such as the Internet or the internal connection of the intranet), or magnetic storage devices. It should be noted that the computer usable or readable medium may be paper or any suitable medium that can be used to print the program thereon so that the program can be re-electronicized again, for example by optically scanning the paper or other The media is then compiled, interpreted, or otherwise processed as necessary and then stored in computer memory. In this In this context, a computer usable or readable medium can be any medium for holding, storing, transmitting, transmitting, or transmitting a code for processing by an instruction execution system, apparatus, or device. The computer usable medium may include a broadcast data signal in which a computer usable code is stored, whether in a baseband or a partial carrier type. The computer can use the code to transmit any aptamable media, including but not limited to wireless, wireline, fiber optic cable, radio frequency (RF), and the like.

用於執行本發明操作的電腦程式碼可以使用一種或多種程式語言的組合來撰寫,包括物件導向程式語言(例如Java、SMRlltalk、C++或其他類似者)以及傳統程序程式語言(例如C程式語言或其他類似的程式語言)。 Computer code for performing the operations of the present invention can be written using a combination of one or more programming languages, including object oriented programming languages (eg, Java, SMRlltalk, C++, or the like) as well as traditional programming languages (eg, C programming languages or Other similar programming languages).

於以下本發明的相關敘述會參照依據本發明具體實施例之系統、裝置、方法及電腦程式產品之流程圖及/或方塊圖來進行說明。當可理解每一個流程圖及/或方塊圖中的每一個方塊,以及流程圖及/或方塊圖中方塊的任何組合,可以使用電腦程式指令來實施。這些電腦程式指令可供通用型電腦或特殊電腦的處理器或其他可程式化資料處理裝置所組成的機器來執行,而指令經由電腦或其他可程式化資料處理裝置處理以便實施流程圖及/或方塊圖中所說明之功能或操作。 The following description of the present invention will be described with reference to the flowchart and/or block diagram of the systems, devices, methods and computer program products according to the embodiments of the invention. Each block of the flowchart and/or block diagram, as well as any combination of blocks in the flowcharts and/or block diagrams, can be implemented using computer program instructions. These computer program instructions can be executed by a general purpose computer or a special computer processor or other programmable data processing device, and the instructions are processed by a computer or other programmable data processing device to implement a flowchart and/or The function or operation described in the block diagram.

這些電腦程式指令亦可被儲存在電腦可讀取媒體上,以便指示電腦或其他可程式化資料處理裝置來進行特定的功能,而這些儲存在電腦可讀取媒體上的指令構成一製成品, 其內包括之指令可實施流程圖及/或方塊圖中所說明之功能或操作。 The computer program instructions can also be stored on a computer readable medium to instruct a computer or other programmable data processing device to perform a particular function, and the instructions stored on the computer readable medium constitute a finished product. The instructions contained therein may implement the functions or operations illustrated in the flowcharts and/or block diagrams.

電腦程式指令亦可被載入到電腦上或其他可程式化資料處理裝置,以便於電腦或其他可程式化裝置上進行一系統操作步驟,而於該電腦或其他可程式化裝置上執行該指令時產生電腦實施程序以達成流程圖及/或方塊圖中所說明之功能或操作。 Computer program instructions may also be loaded onto a computer or other programmable data processing device for performing a system operation on a computer or other programmable device, and executing the command on the computer or other programmable device A computer implementation program is generated to achieve the functions or operations illustrated in the flowcharts and/or block diagrams.

其次,請參照圖1至圖2,在圖式中顯示依據本發明各種實施例的系統、方法及電腦程式產品可實施的架構、功能及操作之流程圖及方塊圖。因此,流程圖或方塊圖中的每個方塊可表示一模組、區段、或部分的程式碼,其包含一個或多個可執行指令,以實施指定的邏輯功能。另當注意者,某些其他的實施例中,方塊所述的功能可以不依圖中所示之順序進行。舉例來說,兩個圖示相連接的方塊事實上亦可以皆執行,或依所牽涉到的功能在某些情況下亦可以依圖示相反的順序執行。此外亦需注意者,每個方塊圖及/或流程圖的方塊,以及方塊圖及/或流程圖中方塊之組合,可藉由基於特殊目的硬體的系統來實施,或者藉由特殊目的硬體與電腦指令的組合,來執行特定的功能或操作。 2 to 2, a flowchart and a block diagram of a architecture, function, and operation of a system, method, and computer program product according to various embodiments of the present invention are shown. Thus, each block of the flowchart or block diagram can represent a module, a segment, or a portion of a code that includes one or more executable instructions to implement the specified logical function. It is to be noted that in some other embodiments, the functions described in the blocks may not be performed in the order shown. For example, the blocks in which the two figures are connected may in fact also be executed, or in accordance with the functions involved, in some cases, in the reverse order of the drawings. It should also be noted that each block diagram and/or block of the flowcharts, and combinations of blocks in the block diagrams and/or flowcharts may be implemented by a system based on a special purpose hardware, or by a special purpose. A combination of body and computer instructions to perform a specific function or operation.

<系統架構><system architecture>

圖1顯示一實施例中之電腦系統100之硬體架構。電腦系統100。電腦系統100的其他基本架構與元件可參見一般的個人電腦或伺服器,例如IBM公司的System X、Blade Center 或eServer伺服器。但須說明的是,電腦系統100亦可實施為嵌入式系統,例如網路裝置或是無線網路存取裝置(Access Point),而缺少一般個人電腦所具備的硬碟、滑鼠、或鍵盤(未圖示)。 1 shows the hardware architecture of computer system 100 in an embodiment. Computer system 100. Other basic architectures and components of computer system 100 can be found in a general personal computer or server, such as IBM System X, Blade Center. Or eServer server. It should be noted that the computer system 100 can also be implemented as an embedded system, such as a network device or a wireless access device (Access Point), and lacks a hard disk, a mouse, or a keyboard of a general personal computer. (not shown).

電腦系統100首先具有中央處理器102或是其他相當的處理電路,用以運行作業系統OS。關於作業系統OS的範例可參考Linux作業系統。對於各形式的電腦系統100,從嵌入式系統到大型伺服器,Linux作業系統皆有相對應的版本,對此應為熟此技藝者所習知,在此不予贅述。但應知本發明並不欲侷限於Linux作業系統。 The computer system 100 first has a central processing unit 102 or other equivalent processing circuitry for operating the operating system OS. For an example of the operating system OS, refer to the Linux operating system. For each type of computer system 100, from the embedded system to the large server, the Linux operating system has a corresponding version, which should be known to those skilled in the art, and will not be described here. However, it should be understood that the invention is not intended to be limited to the Linux operating system.

此外,中央處理器102並在作業系統OS下執行使用者應用程式AP,此使用者應用程式AP可內建於作業系統OS,或是為使用者另行安裝於作業系統OS下的使用者應用程式。本發明並不欲侷限使用者應用程式AP所提供的功能,但使用者應用程式AP應具有亂數的需求以進行安全性作業,例如通訊所需的加密(cryptographic)程序或是身份識別(identification)。 In addition, the central processing unit 102 executes the user application AP under the operating system OS, and the user application AP can be built in the operating system OS or the user application separately installed in the operating system OS. . The present invention is not intended to limit the functionality provided by the user application AP, but the user application AP should have a random number of requirements for security operations, such as cryptographic procedures or identification required for communication (identification). ).

特別地,中央處理器102連結亂數產生器RNG1。亂數產生器RNG1並非是作業系統OS的亂數產生器(例如LRNG);較佳地,亂數產生器RNG1係硬體亂數產生器。在一範例中,硬體亂數產生器RNG1可為附隨於中央處理器102的硬體亂數產生器,也就是說硬體亂數產生器RNG1與中央處理器102係實現於同一個晶片上。在另一範例中,硬體亂數產生器RNG1與中央處理器102係實現於電腦系統100中的不同晶片 上,例如硬體亂數產生器RNG1可實現在硬體密碼加速器(例如一SSL Accelerator computer card)上,且不一定要與中央處理器102位於相同的主機板(未圖示)上,甚至硬體亂數產生器RNG1亦可設置於電腦系統100以外,而透過網路或是其他連接方式與中央處理器102連結。更多關於硬體亂數產生器的細節,可參考維基百科中相關的說明(http://en.wikipedia.org/wiki/Hardware_random_number_generator)。 Specifically, the central processing unit 102 connects the random number generator RNG1. The random number generator RNG1 is not a random number generator (for example, LRNG) of the operating system OS; preferably, the random number generator RNG1 is a hardware random number generator. In an example, the hardware random number generator RNG1 may be a hardware random number generator attached to the central processing unit 102, that is, the hardware random number generator RNG1 and the central processing unit 102 are implemented on the same chip. on. In another example, the hardware random number generator RNG1 and the central processing unit 102 are implemented in different chips in the computer system 100. For example, the hardware random number generator RNG1 can be implemented on a hardware cryptographic accelerator (for example, an SSL Accelerator computer card), and does not have to be located on the same motherboard (not shown) as the central processing unit 102, or even hard. The hash generator RNG1 may also be disposed outside the computer system 100 and connected to the central processing unit 102 via a network or other connection. For more details on the hardware random number generator, refer to the relevant instructions in Wikipedia (http://en.wikipedia.org/wiki/Hardware_random_number_generator).

但須說明的是,亂數產生器RNG1並不一定要實施為硬體亂數產生器,在另一範例中,亂數產生器RNG1的實施方式可透過電腦系統100以外的電腦系統(未圖示),只要此額外的電腦系統可提供亂數給電腦系統100中的中央處理器102,本發明並不限定此額外的電腦系統係透過硬體亂數產生器或是任何其他方式來產生亂數。在又一範例中,所產生或挑選出的亂數資料可提供給安裝在電腦系統100的其他虛擬機器應用程式(virtual machine application)(未圖示),以進行後續所需的處理或使用。 It should be noted that the random number generator RNG1 does not have to be implemented as a hardware random number generator. In another example, the random number generator RNG1 can be implemented through a computer system other than the computer system 100 (not shown). As shown, as long as the additional computer system can provide random numbers to the central processing unit 102 in the computer system 100, the present invention is not limited to the use of a hardware random number generator or any other means to generate chaos. number. In yet another example, the generated or sorted hash data can be provided to other virtual machine applications (not shown) installed in computer system 100 for subsequent processing or use.

另一方面,較佳地,中央處理器102更連結另一亂數產生器RNG2。前述可實施亂數產生器RNG1的方式亦可採用於實施亂數產生器RNG2,但與上述亂數產生器RNG1不同的是,亂數產生器RNG2可以是作業系統OS基於軟體的亂數產生器(例如LRNG)。另外要說明的是,除了亂數產生器RNG1與亂數產生器RNG2,中央處理器102可連結更多的亂數產生器(未圖示),且更多的亂數產生器將有助於使用者應用程式 AP具有更好的安全性,更多細節將描述於後。 On the other hand, preferably, the central processing unit 102 is further coupled to another random number generator RNG2. The foregoing method for implementing the random number generator RNG1 may also be implemented to implement the random number generator RNG2. However, unlike the random number generator RNG1, the random number generator RNG2 may be a software-based random number generator of the operating system OS. (eg LRNG). In addition, in addition to the random number generator RNG1 and the random number generator RNG2, the central processing unit 102 can connect more random number generators (not shown), and more random number generators will help User application APs have better security and more details will be described later.

以下配合圖1所示之硬體架構以及圖2之流程圖說明本發明實施例之記憶體控制方法。 The memory control method of the embodiment of the present invention will be described below with reference to the hardware architecture shown in FIG. 1 and the flowchart of FIG. 2.

●步驟200:本步驟可視為初始設置,中央處理器102判斷與其連結亂數產生器的數目。在此實施例中,中央處理器102係連結有亂數產生器RNG1與亂數產生器RNG2,但本發明不限於此。 Step 200: This step can be regarded as an initial setting, and the central processing unit 102 determines the number of random number generators connected thereto. In this embodiment, the central processing unit 102 is coupled to the random number generator RNG1 and the random number generator RNG2, but the present invention is not limited thereto.

●步驟202:中央處理器102提供隨時間持續改變之參數,以作為後續選擇亂數產生器RNG1與亂數產生器RNG2之用。在一實施例中,此參數係為中央處理器102之Jiffies,每發生一次計時器中斷(timer interrupt),Jiffies變數會被加1,更多關於Jiffies,可參考Klaus Wehrle,Frank Pählke,Hartmut Ritter,Daniel Müller,Marc Bechler所著The Linux® Networking Architecture:Design and Implementation of Network Protocols in the Linux Kernel,Chapter 2.7.:Timing in the Linux Kernel的說明。本實施例中使用Jiffies的優點在於除了其值隨時間持續改變,且其改變並不容易預測,因此具有較好的安全性,但本發明並不欲侷限於Jiffies。 Step 202: The central processor 102 provides parameters that change continuously over time for use as a subsequent selection of the random number generator RNG1 and the random number generator RNG2. In one embodiment, this parameter is the Jiffies of the central processing unit 102. Each time a timer interrupt occurs, the Jiffies variable is incremented by one. For more information about Jiffies, refer to Klaus Wehrle, Frank Pählke, Hartmut Ritter. , Daniel Müller, Marc Bechler, The Linux ® Networking Architecture: Design and Implementation of Network Protocols in the Linux Kernel, Chapter 2.7.: Description of Timing in the Linux Kernel. The advantage of using Jiffies in this embodiment is that it has better security except that its value changes continuously with time, and its change is not easy to predict, but the invention is not intended to be limited to Jiffies.

●步驟204:當需要亂數以提供給使用者應用程式AP時,中央處理器102則取得當下Jiffies的值。 Step 204: When a random number is required to be provided to the user application AP, the central processor 102 obtains the value of the current Jiffies.

●步驟206:根據步驟204中所取得參數值,來判斷要從亂數產生器RNG1或是亂數產生器RNG2接收亂數。 Step 206: According to the parameter value obtained in step 204, it is determined that the random number is to be received from the random number generator RNG1 or the random number generator RNG2.

舉例來說,可以設計為當Jiffies的值為單數則選擇亂數產生器RNG1,而當Jiffies的值為雙數則選擇亂數產生器RNG2,或反之亦可。 For example, it can be designed to select the random number generator RNG1 when the value of Jiffies is singular, and the random number generator RNG2 when the value of Jiffies is double, or vice versa.

此外,若亂數產生器RNG1與亂數產生器RNG2產生亂數的效能不同,則亦可根據Jiffies的值來給予亂數產生器RNG1與亂數產生器RNG2不同的權重,舉例來說,當Jiffies的值為3的倍數時則選擇亂數產生器RNG1,反之則則選擇亂數產生器RNG2,因此選擇亂數產生器RNG2的機率會是選擇亂數產生器RNG1的兩倍。由此可見,使用Jiffies的值可供使用者進一步調整各亂數產生器的權重。需說明的是,本發明並不欲侷限從Jiffies的值來選擇亂數產生器RNG1、亂數產生器RNG2、或是其他更多亂數產生器(未圖示)的方法。又若步驟200中央處理器102僅連結到亂數產生器RNG1,則步驟206可略過。 In addition, if the performance of the random number generator RNG1 and the random number generator RNG2 is different, the random number generator RNG1 and the random number generator RNG2 may be given different weights according to the value of the Jiffies, for example, when When the value of Jiffies is a multiple of 3, the random number generator RNG1 is selected, and if the random number generator RNG2 is selected, the probability of selecting the random number generator RNG2 is twice that of the random number generator RNG1. Thus, the value of Jiffies can be used to further adjust the weight of each random number generator. It should be noted that the present invention is not intended to limit the method of selecting the random number generator RNG1, the random number generator RNG2, or other more random number generators (not shown) from the value of Jiffies. Again, if step 200 central processor 102 is only coupled to random number generator RNG1, step 206 may be skipped.

●步驟208:在從亂數產生器RNG1或亂數產生器RNG2中收到亂數後,中央處理器102即可將所收到的亂數提供給使用者應用程式AP,然後可回到步驟204。 Step 208: After receiving the random number from the random number generator RNG1 or the random number generator RNG2, the central processing unit 102 can provide the received random number to the user application AP, and then can return to the step. 204.

需說明的是,亂數產生器RNG1所產生的亂數,意義上不同於作業系統OS的亂數產生器運作時需從其他硬體(鍵盤或硬碟)所取得的位元(bits),因此若是中央處理器102從亂數 產生器RNG1接收到亂數到在提供亂數給使用者應用程式AP前,則應不需要再使用到作業系統OS的亂數產生器(可實施為亂數產生器RNG2)對亂數產生器RNG1所產生的亂數進行額外的亂數的軟體處理。相似地,該處理器應不需要再對所接收的亂數進行軟體漂白(software whitening)處理,或是進一步雜湊或加密等。 It should be noted that the random number generated by the random number generator RNG1 is different from the bits obtained by other hardware (keyboard or hard disk) when the random number generator of the operating system OS operates. So if the central processor 102 is from random The generator RNG1 receives the random number to the random number generator (which can be implemented as the random number generator RNG2) to the random number generator before providing the random number to the user application AP. The random number generated by RNG1 performs additional random number software processing. Similarly, the processor should not need to perform software whitening on the received random numbers, or further hash or encrypt.

關於亂數的軟體處理與軟體漂白,可參考文獻:Viega,J.Practical Random Number Generationin Software Proceedings of the 19t h AnnualComputer Security Applications Conference.December 2003.。 For software processing and soft bleaching of random numbers, reference is made to: Viega, J. Practical Random Number Generation in Software Proceedings of the 19th h Annual Computer Security Applications Conference. December 2003.

但在另一實施例中,若亂數產生器RNG1所提供的亂數尚不足以符合特定安全標準,例如FIPS-140標準,則中央處理器102可對亂數產生器RNG1所提供的亂數進行處理,以符合標準後,再提供給使用者應用程式AP。 However, in another embodiment, if the random number provided by the random number generator RNG1 is not sufficient to meet a specific security standard, such as the FIPS-140 standard, the central processor 102 can provide the random number provided by the random number generator RNG1. After processing, in order to meet the standard, it is provided to the user application AP.

在不脫離本發明精神或必要特性的情況下,可以其他特定形式來體現本發明。應將所述具體實施例各方面僅視為解說性而非限制性。因此,本發明的範疇如隨附申請專利範圍所示而非如前述說明所示。所有落在申請專利範圍之等效意義及範圍內的變更應視為落在申請專利範圍的範疇內。 The present invention may be embodied in other specific forms without departing from the spirit and scope of the invention. The aspects of the specific embodiments are to be considered as illustrative and not restrictive. Accordingly, the scope of the invention is indicated by the appended claims rather All changes that fall within the meaning and scope of the patent application are deemed to fall within the scope of the patent application.

100‧‧‧電腦系統 100‧‧‧ computer system

OS‧‧‧作業系統 OS‧‧‧ operating system

AP‧‧‧使用者應用程式 AP‧‧ User Application

102‧‧‧中央處理器 102‧‧‧Central processor

RNG1‧‧‧亂數產生器 RNG1‧‧‧ random number generator

RNG2‧‧‧亂數產生器 RNG2‧‧‧ random number generator

步驟(200)‧‧‧判斷亂數產生器的數目 Step (200) ‧ ‧ Determine the number of random number generators

步驟(202)‧‧‧提供隨時間持續改變之參數 Step (202) ‧ ‧ provides parameters that change continuously over time

步驟(204)‧‧‧取得當下參數的值 Step (204) ‧‧‧Get the value of the current parameter

步驟(206)‧‧‧根據參數值,決定出一亂數產生器 Step (206) ‧‧‧Determining a random number generator based on the parameter value

步驟(208)‧‧‧從決定的亂數產生器接收亂數,提供給使用者應用程式 Step (208) ‧ ‧ Receive random numbers from the determined random number generator and provide them to the user application

為了立即瞭解本發明的優點,請參考如附圖所示的特定具體實施例,詳細說明上文簡短敘述的本發明。在瞭解這些 圖示僅描繪本發明的典型具體實施例並因此不將其視為限制本發明範疇的情況下,參考附圖以額外的明確性及細節來說明本發明,圖式中:圖1一種依據本發明一具體實施例之電腦系統;圖2一種依據本發明一具體實施例之方法流程圖。 In order to immediately understand the advantages of the present invention, the present invention briefly described above will be described in detail with reference to the specific embodiments illustrated in the accompanying drawings. Understand these The present invention is described with reference to the accompanying drawings, in which A computer system in accordance with an embodiment of the invention; FIG. 2 is a flow chart of a method in accordance with an embodiment of the present invention.

步驟(200)‧‧‧判斷亂數產生器的數目 Step (200) ‧ ‧ Determine the number of random number generators

步驟(202)‧‧‧提供隨時間持續改變之參數 Step (202) ‧ ‧ provides parameters that change continuously over time

步驟(204)‧‧‧取得當下參數的值 Step (204) ‧‧‧Get the value of the current parameter

步驟(206)‧‧‧根據參數值,決定出一亂數產生器 Step (206) ‧‧‧Determining a random number generator based on the parameter value

步驟(208)‧‧‧從決定的亂數產生器接收亂數,提供給使用者應用程式 Step (208) ‧ ‧ Receive random numbers from the determined random number generator and provide them to the user application

Claims (7)

一種電腦系統,包含:一作業系統;一處理器,該處理器在該作業系統下執行一使用者應用程式,且該處理器與一第一亂數產生器連結;其中因應該使用者應用程式中之安全性作業(security operations)之亂數需求,該處理器從該第一亂數產生器接收亂數,並提供該第一亂數產生器所產生的亂數給該使用者應用程式以進行安全性作業;其中該第一亂數產生器不是該作業系統的亂數產生器;其中該處理器更與一第二亂數產生器連結,以從該第二亂數產生器接收亂數,並根據該第一亂數產生器的亂數與該第二亂數產生器的亂數執行該應用程式;其中該第一亂數產生器與該第二亂數產生器皆為硬體亂數產生器。 A computer system comprising: an operating system; a processor executing a user application under the operating system, and the processor is coupled to a first random number generator; wherein the user application is The security requirement of the security operations, the processor receives the random number from the first random number generator, and provides the random number generated by the first random number generator to the user application. Performing a security operation; wherein the first random number generator is not a random number generator of the operating system; wherein the processor is further coupled to a second random number generator to receive random numbers from the second random number generator And executing the application according to the random number of the first random number generator and the random number of the second random number generator; wherein the first random number generator and the second random number generator are both hard Number generator. 如請求項1之電腦系統,其中接收亂數後到在提供亂數給該使用者應用程式前,該處理器對該所接收的亂數不進行軟體漂白(software whitening)處理。 The computer system of claim 1, wherein the processor does not perform software whitening processing on the received random number until the random number is received to the user application. 如請求項1之電腦系統,其中該處理器更與該第二亂數產生器連結,而該處理器具有隨時間持續改變之一參數,該處理器係根據該參數之值以從該第一亂數產生器接收亂數而不是從該第二亂數產生器接收亂數。 The computer system of claim 1, wherein the processor is further coupled to the second random number generator, and the processor has a parameter that continuously changes over time, the processor is based on the value of the parameter from the first The random number generator receives the random number instead of receiving the random number from the second random number generator. 如請求項1或3之電腦系統,其中該參數為該處理器之Jiffies。 A computer system as claimed in claim 1 or 3, wherein the parameter is a Jiffies of the processor. 如請求項1至3中任一項所述之電腦系統,其中該電腦系統係一嵌入式系統。 The computer system of any of claims 1 to 3, wherein the computer system is an embedded system. 一種資料處理方法,用於一電腦系統,該電腦系統包含一作業系統與一處理器,該處理器與一第一亂數產生器連結,該方法包含:(a)該處理器從該第一亂數產生器接收亂數,其中該第一亂數產生器不是該作業系統的亂數產生器;以及(b)該處理器提供步驟(a)所接收的亂數給一使用者應用程式以進行安全性作業;以及(c)該處理器從該第二亂數產生器接收亂數,其中該第二亂數產生器也不是該作業系統的亂數產生器;以及(d)該處理器提供步驟(c)所接收的亂數給該使用者應用程式以進行安全性作業;其中該第一亂數產生器與該第二亂數產生器皆為硬體亂數產生器。 A data processing method for a computer system, the computer system comprising an operating system and a processor coupled to a first random number generator, the method comprising: (a) the processor from the first The random number generator receives the random number, wherein the first random number generator is not a random number generator of the operating system; and (b) the processor provides the random number received by the step (a) to a user application Performing a security job; and (c) the processor receiving a random number from the second random number generator, wherein the second random number generator is also not a random number generator of the operating system; and (d) the processor Providing the random number received in the step (c) to the user application for security operations; wherein the first random number generator and the second random number generator are both hardware random number generators. 如請求項6的方法,其中該處理器具有隨時間持續改變之一參數,而步驟(a)更包含:處理器係根據該參數之值選擇從該第一亂數產生器或從該第二亂數產生器接收亂數。 The method of claim 6, wherein the processor has one of parameters continuously changing over time, and step (a) further comprises: the processor selecting, according to the value of the parameter, the first random number generator or the second The random number generator receives random numbers.
TW101134236A 2012-09-19 2012-09-19 Computer system and data processing method using random number generator TWI601063B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
TW101134236A TWI601063B (en) 2012-09-19 2012-09-19 Computer system and data processing method using random number generator
US14/017,928 US9081635B2 (en) 2012-09-19 2013-09-04 Provision to an application of a random number not generated by an operating system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW101134236A TWI601063B (en) 2012-09-19 2012-09-19 Computer system and data processing method using random number generator

Publications (2)

Publication Number Publication Date
TW201413580A TW201413580A (en) 2014-04-01
TWI601063B true TWI601063B (en) 2017-10-01

Family

ID=50974695

Family Applications (1)

Application Number Title Priority Date Filing Date
TW101134236A TWI601063B (en) 2012-09-19 2012-09-19 Computer system and data processing method using random number generator

Country Status (2)

Country Link
US (1) US9081635B2 (en)
TW (1) TWI601063B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI497409B (en) * 2014-07-18 2015-08-21 Winbond Electronics Corp Random number generator and method for generating random number thereof
US9436529B2 (en) 2014-12-26 2016-09-06 Red Hat, Inc. Providing random data to a guest operating system
TWI634479B (en) * 2017-10-11 2018-09-01 華邦電子股份有限公司 Random number generation system and random number generating method thereof
CN109656514B (en) 2017-10-11 2023-08-15 华邦电子股份有限公司 Random number generation system and random number generation method thereof

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6886023B2 (en) * 2002-01-14 2005-04-26 Ip-First, Llc Apparatus for generating random numbers
TW200841206A (en) * 2006-11-30 2008-10-16 Atmel Corp Method and system for secure external TPM password generation and use
US20100023749A1 (en) * 2008-01-07 2010-01-28 Aruba Networks, Inc. Harvesting Entropy from Trusted Cryptographic Sources
TW201034423A (en) * 2009-03-10 2010-09-16 Univ Chang Gung User authentication technology and system using one-time password composed of a repeatable first password and a non-repeatable password

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5454039A (en) * 1993-12-06 1995-09-26 International Business Machines Corporation Software-efficient pseudorandom function and the use thereof for encryption
TW536672B (en) * 2000-01-12 2003-06-11 Hitachi Ltd IC card and microcomputer
US6871206B2 (en) * 2001-11-20 2005-03-22 Ip-First, Llc Continuous multi-buffering random number generator
CN100458685C (en) 2006-05-26 2009-02-04 北京中星微电子有限公司 Device and method for generating randow number
US8632407B2 (en) 2007-08-01 2014-01-21 Cfph, Llc General gaming engine
US8782801B2 (en) * 2007-08-15 2014-07-15 Samsung Electronics Co., Ltd. Securing stored content for trusted hosts and safe computing environments
US8738676B2 (en) 2009-05-29 2014-05-27 International Business Machines Corporation Entropy generation on a parallel computer system
US9495190B2 (en) 2009-08-24 2016-11-15 Microsoft Technology Licensing, Llc Entropy pools for virtual machines

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6886023B2 (en) * 2002-01-14 2005-04-26 Ip-First, Llc Apparatus for generating random numbers
TW200841206A (en) * 2006-11-30 2008-10-16 Atmel Corp Method and system for secure external TPM password generation and use
US20100023749A1 (en) * 2008-01-07 2010-01-28 Aruba Networks, Inc. Harvesting Entropy from Trusted Cryptographic Sources
TW201034423A (en) * 2009-03-10 2010-09-16 Univ Chang Gung User authentication technology and system using one-time password composed of a repeatable first password and a non-repeatable password

Also Published As

Publication number Publication date
US20140177832A1 (en) 2014-06-26
US9081635B2 (en) 2015-07-14
TW201413580A (en) 2014-04-01

Similar Documents

Publication Publication Date Title
TWI610589B (en) Device-to-device (d2d) transmit behavior
TWI601063B (en) Computer system and data processing method using random number generator
JP2020506633A5 (en)
JP2019046460A (en) Inference device and method
CN112565026B (en) Test frame generation method, device and equipment
CN110058676A (en) A kind of method for oscillating, electronic equipment and storage medium
CN105700821B (en) Semiconductor device and compression/decompression method thereof
EP3279795A1 (en) Method and apparatus for deleting cloud host in cloud computing environment, server and storage medium
US9928370B2 (en) Communication device, communication method, computer program product, and communication system
WO2014187413A1 (en) Method and apparatus for allocating resource to lte cell, and base station and storage medium
US11829304B2 (en) Pairing of external device with random user action
US20150331671A1 (en) Generating pseudo-random numbers using cellular automata
US8615609B2 (en) System, method, and computer program product for inserting a gap in information sent from a drive to a host device
US10419447B2 (en) Real-time adaptive receive side scaling key selection
JP2017163236A (en) Radio communication device, radio communication method, and program
CN115189819A (en) Method, device and terminal for determining PUCCH (physical uplink control channel) resources
CN111066264B (en) Dynamic calibration for audio data transfer
TWI475407B (en) Reducing latency for served applications by anticipatory preprocessing
CN105988769B (en) A method and device for mixing input
JP5744673B2 (en) Information processing system, information processing method, and program
KR20140116725A (en) Method and apparatus for block encryption algorithm
WO2019036092A1 (en) Dynamic audio data transfer masking
JP6631539B2 (en) Apparatus, method and computer program
JP2015141500A (en) Digital signal processor system and signal processor
KR102835012B1 (en) Electronic apparatus and cryptanalysis method thereof

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees